IMPORTANT
SNS 3.x versions have reached End of Maintenance since July 1st, 2024.
We recommend that you update your SNS firewalls to a version with maintenance to guarantee the protection of your infrastructure.
SNS 3.7.13 LTSB bug fixes
System
IPsec VPN IKEv1
Support reference 77358
When IPsec VPN tunnels were set up with remote users (also known as mobile or nomad users), phase 1 of the IKE negotiation would fail because fragmented packets were not correctly reconstructed after they were received. This anomaly has been fixed.
Support reference 65964
The IPsec management engine (Racoon) used for IKEv1 policies no longer interrupts the phase 2 negotiation with a peer when another phase 2 negotiation fails with the same peer.
IPsec VPN IKEv2 or IKEv1 + IKEv2
Support reference 75303
When the Bird dynamic routing engine (bird for IPv4 or bird6 for IPv6) was restarted too often, it would cause the IKE daemon to malfunction, preventing IPsec VPN tunnels from being negotiated. This anomaly has been fixed.
IPsec VPN - Logs
Support reference 69858 - 71797
Text strings exceeding the maximum length allowed when they are sent to the firewall's log management service are now correctly truncated and no longer contain non-UTF-8 characters. This anomaly would cause a malfunction when logs were read through the web administration interface.
In addition:
- The maximum supported length of a log line is now 2048 characters,
- The maximum supported length of a text field contained in a log line is now 256 characters.
IPsec VPN - Virtual interfaces
Support reference 77032
During the decryption of IPv6 traffic that was transported in IPv4 IPsec tunnels through virtual interfaces, the firewall would no longer look for return routes among the IPv6 virtual interfaces. Such IPv6 packets are now correctly exchanged at each tunnel endpoint.
SSL VPN Portal
Support reference 77062
Even though a maximum of servers were accessible via the SSL VPN Portal, additional machines could still be declared. This would cause the firewall's authentication engine to restart repeatedly. Now, servers can no longer be created once the limit is reached, which varies according to the firewall model.
Find out more
Proxies
Support references 76535 - 75662 - 77210 - 78103
Potential competing access between SSL and HTTP proxy queues would sometimes shut down the proxy manager unexpectedly. This anomaly has been fixed.
SSL proxy
Support reference 77207
An anomaly in the SSL decision-making cache mechanism (decrypt, do not decrypt, etc) that occurs when there are simultaneous connections with the same destination IP addresses with different ports, would occasionally corrupt this cache and freeze the SSL proxy. This anomaly has been fixed.
Support reference 78044
When attempts to connect to an unreachable SSL server resulted in the SSL proxy immediately returning an error message, the firewall would not properly shut down such connections. An increasing amount of such connections wrongly considered active would then slow down legitimate SSL traffic. This anomaly has been fixed.
High availability - link aggregation
Support reference 71002
Whenever the weight of a link aggregate was modified in a HA configuration (High availability module > Weight field or CLI / Serverd command CONFIG HA WEIGHT UPDATE) it would not be applied and would generate a system error. This anomaly has been fixed.
High availability - Filtering and NAT - Time objects
Support references 76822 - 73023
To prevent network instability in high availability clusters, the re-evaluation of filter rules is now optimized when there is a change in the status of time objects used in one or several of these rules.
SLD daemon
Support references 77168 - 72940
The SLD would occasionally restart and log off all users whenever two users logged in via the SSL VPN portal and accessed the same resource.
Support references 78166 - 73026
Running the SLD process would sometimes consume an excessive amount of memory resources. This anomaly has been fixed.
Global host objects included in router objects
Support reference 71974
When global host objects included in router objects are renamed, the change is correctly applied in the router object concerned.
Connections from Stormshield Management Center (SMC)
Support reference 76345
During the initial connection from SMC to the web administration interface of a firewall in version 3.7 or higher, attempts to retrieve the archive containing all the interface data would fail, thereby preventing connections to the firewall from SMC. This anomaly has been fixed.
Monitoring gateways
Support reference 75745
On firewalls that process many connections, and which use configurations with many gateways, replies to pings may take longer to reach the gateway monitoring mechanism. When this occurs, the mechanism would continuously re-send pings, and restart without sending notifications such as logs or system events. This anomaly has been fixed.
Support references 75745 - 74524
After a firewall is restarted, the router monitoring service now correctly applies the last known status of these routers.
Support reference 75745
The gateway monitoring mechanism, which would sometimes restart unexpectedly, has been fixed.
Filter - NAT
Support reference 70125
The firewall would sometimes become unreachable if it was restarted after reactivating a filter policy that contained a rule enabled with two blank group network objects in the source or destination.
Firewalls with IX cards
Support reference 74758
The fix below applies to firewalls that use fiber 4x10 Gbps network extension modules on SN710, SN910, SN2000, SN3000 and SN6000 models (the same module is compatible with SN2100 and SN3100 models).
After the firewall starts up, the automatic media speed detection could fail to be negotiated, and the firewall would consider the network interface offline. The interface could be re-enabled only by physically disconnecting and reconnecting the media. This issue has been fixed, and the available values for IX network cards can now be selected in the Network > Interfaces module.
Network
Wi-Fi
Support reference 75238
Changes to the access password of a Wi-Fi network hosted by the firewall are now correctly applied.
Policy-based routing
Support reference 76999
In PBR, when routers were changed directly in filter rules, IPState connection tables (for GRE, SCTP and other protocols) now apply the new router IDs.
Management of ARP entries
Support reference 78514
Permanent entries in the ARP table, created when host network objects that have MAC addressed are added, were no longer wrongly deleted after reactivating filter policies.
Hardware
SN6000 model firewalls
Support references 75577 - 75579
In a few rare cases, a message warning of missing power supply modules would be wrongly sent on SN6000 firewalls equipped with an IPMI module in version 3.54. A mechanism that restarts the IPMI module has been set up to deal with this issue.
This mechanism is disabled by default and does not affect traffic going through the firewall, but temporarily prevents the refreshment of component data. The mechanism needs about five minutes to run its course, the time it takes to restart the IPMI module and to refresh data on components.
This new parameter can only be modified through the CLI / SSH command:
setconf /usr/Firewall/ConfigFiles/system Monitord EnableRestartIPMI <0|1>
For more information on the syntax of this command, refer to the CLI /SSH Commands Reference Guide.
Intrusion prevention
NTP
Support reference 74654
To improve compatibility with certain vendors, the maximum size of NTP v3 packets considered valid is now set to 120 bytes by default.
NB-CIFS protocol
Support reference 77166
The analysis of NB-CIFS traffic from Microsoft Windows hosts no longer wrongly raises the alarm "Invalid NBSS/SMB2 protocol" (alarm nb-cifs:157).
DCERPC protocol
Support references 70716 - 70590
Risks of memory leak and the unexpected shutdown of the firewall during the analysis of the DCERPC protocol have been fixed.
High availability
Support reference 70654
When the active firewall received packets over a non-HA interface from a source address that is an IP address used for the HA link (IP address spoofing attempt), the firewall cluster would become unstable if:
- Such packets were allowed by a rule in Firewall or IDS mode,
- or - - The action of the "IP address spoofing (type 2)" alarm was forced to "pass".
Additional protection mechanisms have been set up to prevent such situations.
Web administration interface
Special characters
Support references 68883 - 72034 - 72125 - 73404
A bug during the conversion of special characters to UTF-8 (e.g. Asian or accented characters) would sometimes generate XML errors and prevent affected modules, such as filtering and NAT, from being displayed. This anomaly has been fixed.
SSL VPN monitoring
Support reference 77426
During monitoring of SSL VPN tunnels, the web administration interface would not retrieve the user associated with a tunnel in the following cases:
- In the tool tip of the User column when the user scrolled over a tunnel,
- When results displayed in a grid were exported to a CSV file.
This anomaly has been fixed.